Hardening the User

Defense in Depth Redux

Today, we are continuing our conversation on Defense in Depth.  We have firewalls with features like Geo-IP blocking, Intrusion Prevention, and content filtering.  Web browsers and DNS servers join in to warn about or block access to compromised web sites.  Endpoint security now goes beyond traditional signature-based anti-virus, adding artificial intelligence and application behavior analysis to protect against unknown threats.  Spam filtering and anti-phishing security protect our email inboxes from the nasties.  Hard drive encryption protects data at rest and security protocols encrypt data in transit.  Computer hardware helps protect operating systems from root kits that hijack the lower level “ring zero” (trusted) access to memory, cpu, storage, and other system resources.  Two-factor authentication and biometric access are quickly replacing traditional passwords.  In all of this “geek speak”, we left out a key ingredient – the end user.

End users are often referred to by IT support in the pejorative as the weak link in security, ie: PEBKAC (Problem Exists Between Keyboard and Chair) or ID-10-T error (read: IDIOT).  If you have ever watched an episode of The IT Crowd, then you have likely observed the true nature of many tech-heads.  This arrogant attitude is often delivered with snarky and condescending questions like: “IS IT PLUGGED IN?!”, “IS IT TURNED ON?!”, “DID YOU REBOOT IT FIRST?!”  And whenever I’m on the receiving end of this treatment, I want to respond, “If I’m calling you then it’s not in your scripted manual, so please escalate to someone who can really help!”

But why this love-hate or sometimes hate-hate relationship between end-users and technical support?  It shouldn’t be that way.  Users need technology and the IT Department doesn’t exist for its own sake.  This dynamic needs to change from what is often “us versus them”, to “we”.  Working with, rather than against, the user is an opportunity to enhance security…and that’s a win-win!  To borrow a line, “All in all it’s just another brick in the wall.”  The user is a critical component of information security, perhaps the most critical.

The True Enemy

When we recognize we are all on the same team, we are ready to do battle against the true enemy – the sinister hacker.  We should not be surprised the end goal for hackers is often financial reward.  Our business systems with its files and data are a treasure-trove of valuable information – proprietary business intellectual property, credit card numbers, social security numbers and other Personally Identifiable Information (PII).  Healthcare has what is called Protected Health Information (PHI).  Selling this information for use in identity theft and insurance fraud is a big reward.  Don’t forget bank account information, stored user credentials to all sorts of internal and external systems.  And even if our data isn’t valuable to the attacker, they know our data is valuable to the operations of our business.  Hackers encrypt the stored data, holding it hostage in exchange for a ransom.

Remember the Colonial Pipeline shutdown?  Their CEO authorized a $4.4 million dollar payment to the hackers.  Just imagine making that tough decision! Somehow departing with millions in Bitcoin was the best decision in the moment. Monday morning quarterbacking makes me wonder about their business continuity plan, but that’s a topic for another time. Much of this activity is coming from foreign governments – their employees clock in every day and launch attacks against businesses, large and small.  Many hackers get paid commissions on how much money they can extort.  We are all targets!

How to Harden the User

How do we go about solving the problem?  Here are some proposed first steps on our journey to hardening our end users:

• Recognize the need to start a security awareness and education program
• Incorporate regulatory compliance standards if required
• Start somewhere, make improvements each time, and measure results

To that end, let’s start somewhere…

The upcoming TCS Education Webinar for Q3 2021 – “Hardening the User” will provide practical advice on how to be aware of and avoid the following user security issues:

• Not believing we are a target (optimism bias)
• Identity theft and other data privacy issues
• Bad password habits
• Using public wi-fi
• Social engineering, including phishing and SMShing
• Unsecure browsing

Stay tuned for more when we release the upcoming video companion and training guide to this article.  You will be able to share this out as a Security 101 class for your users.